X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=web-conf;h=977c8cfb38166ec6099e56999502594eb159c50d;hb=26e797e8fd4117747ec1bf1246286fa6f6f402c6;hp=6b18b2e5c7ae2b63fb3f10d208cc4a4cec61af92;hpb=25c6d2d6bcf37d708fec0e529a88f035588c8b7d;p=basic-https-conf
diff --git a/web-conf b/web-conf
index 6b18b2e..977c8cf 100755
--- a/web-conf
+++ b/web-conf
@@ -154,6 +154,13 @@ if $ssl; then
# cleanup the call to ourselves a short bit ago
rm $se/$h.conf
fi
+ # these scripts only run on renew, that is kinda dumb.
+ export RENEWED_LINEAGE=/etc/letsencrypt/live/$h
+ for script in /etc/letsencrypt/renewal-hooks/deploy/*; do
+ if [[ -x $script ]]; then
+ "$script"
+ fi
+ done
fi
@@ -236,6 +243,19 @@ EOF
if (( port == 443 )); then
echo "$0: creating $redir_file"
+
+ # note, alternatively:
+ cat >/dev/null <<'EOF'
+#https://webmasters.stackexchange.com/questions/124635/apache-redirect-http-to-https-without-preventing-http
+
+Redirect permanent "/" "https://mydomain.ltd/"
+
+# or, with generic rewrite, we use this on gnu.org
+RewriteEngine on
+RewriteCond %{HTTP:Upgrade-Insecure-Requests} "^1$"
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=307]
+EOF
+
cat >$redir_file <
ServerName $h
@@ -264,7 +284,7 @@ EOF
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org
SSLEngine on